Overview

overview

10

Static

static

3

8e3e000751...f6.exe

windows7-x64

10

8e3e000751...f6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0d1fa230547e8327115e01b3f5956133.zip

  • Size

    416KB

  • Sample

    240901-dpr1eszgle

  • MD5

    9c5caecc1e1d0d6bbce32a22718afa92

  • SHA1

    30cbd391f1785b882959463f333afb797a8c93c4

  • SHA256

    f171614979a8a8e605abcc22ba61300a7597670861ba014570e3c8c9dee7590a

  • SHA512

    d3956b50aca9d4212383af6387a7339b39e1180efb1897d3992c720f59d141c7cb53f294470335271eaa0ce13bec752160059565ec44ca337da31e59df7e3027

  • SSDEEP

    6144:Ne+crvUq7YAJQsoS9s7JbxZy55zvhhBh/IN2KpIZJsyh5KBM6cfAbvUNRpPq:YlrP7CsoR2zrK2XZJPqxONNRo

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    xxxlahot2

Targets

    • Target

      8e3e00075143d3fd621479fb61188c41560186ce1877e83e9d1e938b866adef6

    • Size

      498KB

    • MD5

      0d1fa230547e8327115e01b3f5956133

    • SHA1

      a2942ed55a16fd4b0ca9ac6b7552fbeb5509ecb7

    • SHA256

      8e3e00075143d3fd621479fb61188c41560186ce1877e83e9d1e938b866adef6

    • SHA512

      7dd223bb25b6ad0f7ec0beb6880ba0fc29404cae8f5548745172f7ae04abe34668e4b3183f3869c4dabf4fcd7fd512976363d4909bd9156b47625598e259a414

    • SSDEEP

      6144:FuxpYkSlNpfOCgxdx1ZcGv9WMPznQIGHnmC7I85eVmftpQ6cxHn8eI+mOmFzivqb:F35OCgLxbZvTgzEeqmf3Q7vsFz2qb

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks